Skip to content

Commit

Permalink
Merge pull request #461 from orchitech/custom-domino
Browse files Browse the repository at this point in the history
Switch to custom Domino fork
  • Loading branch information
martincizek authored Apr 8, 2024
2 parents 84e7876 + 10bbd00 commit a4ddaff
Show file tree
Hide file tree
Showing 6 changed files with 13 additions and 14 deletions.
1 change: 0 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:

jobs:
Expand Down
6 changes: 3 additions & 3 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Turndown input is

When a string input is passed, the DOM parser is picked as follows.
* For web browser usage, the corresponding native web parser is used, which is typically `DOMImplementation`.
* For standalone usage, [domino](https://github.com/fgnass/domino) parser is used.
* For standalone usage, custom [domino](https://github.com/mixmark-io/domino) parser is used.

Please note that a malicious string input can cause undesired effects within the DOM parser
even before Turndown code starts processing the document itself.
Expand All @@ -27,8 +27,8 @@ better suits your security needs.

In particular, Turndown version 6 and below used [jsdom](https://github.com/jsdom/jsdom) as the
standalone DOM parser. As `jsdom` is a fully featured DOM parser with script execution support,
it imposes an inherent security risk. We recommend upgrading to version 7, which uses
[domino](https://github.com/fgnass/domino) that doesn't even support executing scripts nor
it imposes an inherent security risk. We recommend upgrading to version 7, which uses custom
[domino](https://github.com/mixmark-io/domino) that doesn't even support executing scripts nor
downloading external resources.

## Reporting a Vulnerability
Expand Down
2 changes: 1 addition & 1 deletion config/rollup.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ export default function (config) {
return {
input: 'src/turndown.js',
output: config.output,
external: ['domino'],
external: ['@mixmark-io/domino'],
plugins: [
commonjs(),
replace({ 'process.browser': JSON.stringify(!!config.browser), preventAssignment: true }),
Expand Down
12 changes: 6 additions & 6 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@
"module": "lib/turndown.es.js",
"jsnext:main": "lib/turndown.es.js",
"browser": {
"domino": false,
"@mixmark-io/domino": false,
"./lib/turndown.cjs.js": "./lib/turndown.browser.cjs.js",
"./lib/turndown.es.js": "./lib/turndown.browser.es.js",
"./lib/turndown.umd.js": "./lib/turndown.browser.umd.js"
},
"dependencies": {
"domino": "^2.1.6"
"@mixmark-io/domino": "^2.2.0"
},
"devDependencies": {
"@rollup/plugin-commonjs": "^19.0.0",
Expand Down
2 changes: 1 addition & 1 deletion src/html-parser.js
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ function createHTMLParser () {
}
}
} else {
var domino = require('domino')
var domino = require('@mixmark-io/domino')
Parser.prototype.parseFromString = function (string) {
return domino.createDocument(string)
}
Expand Down

0 comments on commit a4ddaff

Please sign in to comment.